Due to how mod_security works, the definition order of rules and exceptions is important (the rule IDs are meaningless to the execution order). In particular conditional SecRules (ctl:removeRule*) have to be declared before the CRS rules.
So for recipes/macros to work you have to have one
*.preconf per vhost. And
this has to be configured in a way they actually run before the rest of the CRS
To do so:
/etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.confin the vhost/conf dropdown.
Add the Recipe → Setup → CRS preconfig includes.
IncludeOptionalpath to where your normal
vhost.*.conffiles reside, if it wasn't autodetected.
Lastly open File → Settings (F12)
and enable ☑ Create and use *.preconf globally
Whenever you declared a recipe that belongs in a *.preconf file, modseccfg would automatically redirect the directive, or create the according preconf first.
So once set up, you can just select the regular *.conf file in the vhost/conf dropdown, and modseccfg will redirect any settings if need be.
What's the resulting file structure?
Normally you'd have one .preconf per vhost..conf:
They also show up atop the vhost/conf dropdown, when the 900-EXCLUSION/IncludeOptional was defined correctly. The dropdown matches the order in which Apache sees any configuration files.
Do I really need this?
If you're only using modseccfg for disabling existing rules, then no; the standard vhost.conf files are sufficient. You won't need *.preconf files for that.
Currently it only pertains a handful of recipes and setting CRS variables.
One global *.preconf for all sites?
Auto-created *.preconf files are bound to one DocumentRoot per vhost.
So if you want to have one preconf-file for all (or multiple) vhosts,
you'll have to remove the
<Directory> wrapper; and manually symlink
the filenames to one central file.
- For auto-creation, file extensions .conf, .dir, .vhost are recognized, else .preconf is just appended
- For writer insertions, rx.end ought to look for
</Directory>in place of
</VirtualHost>section markers, and insert before that.
- Appending should still work for .dir files (single global preconf).
Instead of preconf files, you could also set up the mod_security rules to load after any vhosts, with e.g. a sites- oder modules-late-enabled/ directory. Though that's gonna make simpler SecRuleRemove directives largely disfunct.